Bug 1650089 - Part 1: Add a remoteTypeOverride option for about:blank loads triggered by chrome, r=annyG,kmag

After the changes in this bug, about:blank loads triggered by chrome will
finish in a "web" content process, as they have an untrusted null principal
without a precursor. In a few places throughout the codebase, however, we
perform about:blank loads with the explicit expectation that they do not change
processes. This new remoteTypeOverride option allows the intended final process
to be explicitly specified in this situation.

For security & simplicity reasons, this new attribute is limited to only be
usable on system-principal triggered loads of about:blank in toplevel browsing
contexts.

Differential Revision: https://phabricator.services.mozilla.com/D120671

browser/base/content/browser.js

@@ -1493,8 +1493,14 @@ function _loadURI(browser, uri, params = {}) {
     uri = "about:blank";
   }
 
-  let { triggeringPrincipal, referrerInfo, postData, userContextId, csp } =
+  let {
-    params || {};
+    triggeringPrincipal,
+    referrerInfo,
+    postData,
+    userContextId,
+    csp,
+    remoteTypeOverride,
+  } = params || {};
   let loadFlags =
     params.loadFlags || params.flags || Ci.nsIWebNavigation.LOAD_FLAGS_NONE;
   let hasValidUserGestureActivation =
@@ -1539,6 +1545,7 @@ function _loadURI(browser, uri, params = {}) {
     referrerInfo,
     postData,
     hasValidUserGestureActivation,
+    remoteTypeOverride,
   };
   try {
     browser.webNavigation.loadURI(uri, loadURIOptions);

browser/components/sessionstore/ContentRestore.jsm

@@ -218,6 +218,10 @@ ContentRestoreInternal.prototype = {
         let loadURIOptions = {
           triggeringPrincipal: Services.scriptSecurityManager.getSystemPrincipal(),
           loadFlags: Ci.nsIWebNavigation.LOAD_FLAGS_BYPASS_HISTORY,
+          // Specify an override to force the load to finish in the current
+          // process, as tests rely on this behaviour for non-fission session
+          // restore.
+          remoteTypeOverride: Services.appinfo.remoteType,
         };
         webNavigation.loadURI("about:blank", loadURIOptions);
       }

browser/components/sessionstore/SessionStore.jsm

@@ -3649,6 +3649,7 @@ var SessionStoreInternal = {
       triggeringPrincipal: Services.scriptSecurityManager.createNullPrincipal({
         userContextId: aTab.userContextId,
       }),
+      remoteTypeOverride: E10SUtils.NOT_REMOTE,
     });
 
     let data = TabState.collect(aTab, TAB_CUSTOM_VALUES.get(aTab));

docshell/base/nsDocShellLoadState.cpp

@@ -88,6 +88,7 @@ nsDocShellLoadState::nsDocShellLoadState(
         aLoadState.loadingSessionHistoryInfo().ref());
   }
   mUnstrippedURI = aLoadState.UnstrippedURI();
+  mRemoteTypeOverride = aLoadState.RemoteTypeOverride();
 }
 
 nsDocShellLoadState::nsDocShellLoadState(const nsDocShellLoadState& aOther)
@@ -133,7 +134,8 @@ nsDocShellLoadState::nsDocShellLoadState(const nsDocShellLoadState& aOther)
       mLoadIdentifier(aOther.mLoadIdentifier),
       mChannelInitialized(aOther.mChannelInitialized),
       mIsMetaRefresh(aOther.mIsMetaRefresh),
-      mUnstrippedURI(aOther.mUnstrippedURI) {
+      mUnstrippedURI(aOther.mUnstrippedURI),
+      mRemoteTypeOverride(aOther.mRemoteTypeOverride) {
   if (aOther.mLoadingSessionHistoryInfo) {
     mLoadingSessionHistoryInfo = MakeUnique<LoadingSessionHistoryInfo>(
         *aOther.mLoadingSessionHistoryInfo);
@@ -369,6 +371,11 @@ nsresult nsDocShellLoadState::CreateFromLoadURIOptions(
     nsDocShell::MaybeNotifyKeywordSearchLoading(searchProvider, keyword);
   }
 
+  if (aLoadURIOptions.mRemoteTypeOverride.WasPassed()) {
+    loadState->SetRemoteTypeOverride(
+        aLoadURIOptions.mRemoteTypeOverride.Value());
+  }
+
   loadState.forget(aResult);
   return NS_OK;
 }
@@ -1046,6 +1053,7 @@ DocShellLoadStateInit nsDocShellLoadState::Serialize() {
     loadState.loadingSessionHistoryInfo().emplace(*mLoadingSessionHistoryInfo);
   }
   loadState.UnstrippedURI() = mUnstrippedURI;
+  loadState.RemoteTypeOverride() = mRemoteTypeOverride;
   return loadState;
 }
 

docshell/base/nsDocShellLoadState.h

@@ -304,6 +304,14 @@ class nsDocShellLoadState final {
 
   bool IsMetaRefresh() const { return mIsMetaRefresh; }
 
+  const mozilla::Maybe<nsCString>& GetRemoteTypeOverride() const {
+    return mRemoteTypeOverride;
+  }
+
+  void SetRemoteTypeOverride(const nsCString& aRemoteTypeOverride) {
+    mRemoteTypeOverride = mozilla::Some(aRemoteTypeOverride);
+  }
+
   // When loading a document through nsDocShell::LoadURI(), a special set of
   // flags needs to be set based on other values in nsDocShellLoadState. This
   // function calculates those flags, before the LoadState is passed to
@@ -524,6 +532,9 @@ class nsDocShellLoadState final {
   // The original URI before query stripping happened. If it's present, it shows
   // the query stripping happened. Otherwise, it will be a nullptr.
   nsCOMPtr<nsIURI> mUnstrippedURI;
+
+  // If set, the remote type which the load should be completed within.
+  mozilla::Maybe<nsCString> mRemoteTypeOverride;
 };
 
 #endif /* nsDocShellLoadState_h__ */

dom/base/nsFrameLoader.cpp

@@ -719,6 +719,16 @@ nsresult nsFrameLoader::ReallyStartLoadingInternal() {
     loadState->SetLoadFlags(flags);
 
     loadState->SetFirstParty(false);
+
+    // If we're loading the default about:blank document in a <browser> element,
+    // prevent the load from causing a process switch by explicitly overriding
+    // remote type selection.
+    if (mPendingBrowsingContext->IsTopContent() &&
+        mOwnerContent->IsXULElement(nsGkAtoms::browser) &&
+        NS_IsAboutBlank(mURIToLoad) &&
+        loadState->TriggeringPrincipal()->IsSystemPrincipal()) {
+      loadState->SetRemoteTypeOverride(mRemoteType);
+    }
   }
 
   if (IsRemoteFrame()) {

dom/ipc/DOMTypes.ipdlh

@@ -303,6 +303,8 @@ struct DocShellLoadStateInit
   bool IsMetaRefresh;
 
   nsIURI UnstrippedURI;
+
+  nsCString? RemoteTypeOverride;
 };
 
 struct TimedChannelInfo

dom/webidl/LoadURIOptions.webidl

@@ -79,4 +79,14 @@ dictionary LoadURIOptions {
    * when initiating the load.
    */
   long cancelContentJSEpoch = 0;
+
+  /**
+   * If this is passed, it will control which remote type is used to finish this
+   * load. Ignored for non-`about:` loads.
+   *
+   * NOTE: This is _NOT_ defaulted to `null`, as `null` is the value for
+   * `NOT_REMOTE_TYPE`, and we need to determine the difference between no
+   * `remoteTypeOverride` and a `remoteTypeOverride` of `NOT_REMOTE_TYPE`.
+   */
+  UTF8String? remoteTypeOverride;
 };

netwerk/ipc/DocumentLoadListener.cpp

@@ -539,6 +539,21 @@ auto DocumentLoadListener::Open(nsDocShellLoadState* aLoadState,
     }
   }
 
+  if (aLoadState->GetRemoteTypeOverride()) {
+    if (!mIsDocumentLoad || !NS_IsAboutBlank(aLoadState->URI()) ||
+        !loadingContext->IsTopContent()) {
+      LOG(
+          ("DocumentLoadListener::Open with invalid remoteTypeOverride "
+           "[this=%p]",
+           this));
+      *aRv = NS_ERROR_DOM_SECURITY_ERR;
+      mParentChannelListener = nullptr;
+      return nullptr;
+    }
+
+    mRemoteTypeOverride = aLoadState->GetRemoteTypeOverride();
+  }
+
   if (!nsDocShell::CreateAndConfigureRealChannelForLoadState(
           loadingContext, aLoadState, aLoadInfo, mParentChannelListener,
           nullptr, attrs, aLoadFlags, aCacheKey, *aRv,
@@ -1574,6 +1589,11 @@ bool DocumentLoadListener::MaybeTriggerProcessSwitch(
   nsAutoCString preferredRemoteType(currentRemoteType);
   RemotenessChangeOptions options;
 
+  // If there is a remote type override, default to it.
+  if (mRemoteTypeOverride) {
+    preferredRemoteType = *mRemoteTypeOverride;
+  }
+
   // Update the preferred final process for our load based on the
   // Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers.
   {
@@ -2520,6 +2540,10 @@ DocumentLoadListener::AsyncOnChannelRedirect(
   // the new URI and set these again.
   mIParentChannelFunctions.Clear();
 
+  // If we had a remote type override, ensure it's been cleared after a
+  // redirect, as it can't apply anymore.
+  mRemoteTypeOverride.reset();
+
 #ifdef ANDROID
   nsCOMPtr<nsIURI> uriBeingLoaded =
       AntiTrackingUtils::MaybeGetDocumentURIBeingLoaded(mChannel);

netwerk/ipc/DocumentLoadListener.h

@@ -544,6 +544,8 @@ class DocumentLoadListener : public nsIInterfaceRequestor,
 
   bool mSupportsRedirectToRealChannel = true;
 
+  Maybe<nsCString> mRemoteTypeOverride;
+
   // The process id of the content process that we are being called from
   // or 0 initiated from a parent process load.
   base::ProcessId mOtherPid = 0;

toolkit/content/widgets/browser-custom-element.js

@@ -814,6 +814,7 @@
         postData,
         headers,
         csp,
+        remoteTypeOverride,
       } = aParams;
       let loadFlags =
         aParams.loadFlags ||
@@ -826,6 +827,7 @@
         loadFlags,
         postData,
         headers,
+        remoteTypeOverride,
       };
       this._wrapURIChangeCall(() =>
         this.webNavigation.loadURI(aURI, loadURIOptions)